CVE-2022-45138 CRITICAL

CVE-2022-45138: WAGO: Missing Authentication for Critical Function

Vendor Wago
Product Compact Controller CC100 (751-9301)
Weakness CWE-306 · Missing auth
Published February 27, 2023
Last update March 10, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The configuration backend of the web-based management can be used by unauthenticated users, although only authenticated users should be able to use the API. The vulnerability allows an unauthenticated attacker to read and set several device parameters that can lead to full compromise of the device.

Key dates

02Disclosure timeline

February 27, 2023 CVE published
March 10, 2025 Record updated